Snort mailing list archives
Re: snort suddenly stopped to record events
From: "Alex" <linux () vfemail net>
Date: Mon, 29 Jul 2013 15:11:26 +0300
Hi Waldo, Just I've commented out the following line in snort.conf: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } and restarted snort. After that, I've used nmap scan (the same like last time, to find open ports on target, UDP and TCP) In logs: appeared: TCP Portscan ... UDP Portscan Jul 29 14:43:12 ids snort[11851]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Jul 29 14:45:48 ids snort[11631]: [122:1:1] portscan: TCP Portscan [Classification: Attempted Information Leak] [Priority: 2]: <eth1> {PROTO:255} 192.168.48.1 -> 192.168.48.200 Jul 29 14:45:59 ids snort[11631]: [122:17:1] portscan: UDP Portscan [Classification: Attempted Information Leak] [Priority: 2]: <eth1> {PROTO:255} 192.168.48.1 -> 192.168.48.200 Jul 29 14:47:07 ids snort[11631]: [122:19:1] portscan: UDP Portsweep [Classification: Attempted Information Leak] [Priority: 2]: <eth1> {PROTO:255} 192.168.48.30 -> 192.168.22.9 [root@ids ~]# So, now I'm happy, snort is working :-) Thank you very much Waldo for your help. Regards, Alx ----- Original Message ----- From: "waldo kitty" <wkitty42 () windstream net> To: <snort-users () lists sourceforge net> Sent: Friday, July 26, 2013 9:48 PM Subject: Re: [Snort-users] snort suddenly stopped to record events
On 7/26/2013 10:18, Alex wrote:So, what should be commented out in snort.conf or what rules should be activated in order to make snort able to detect and identify such network scan?check nmap for what those options generate as packets... then you'll have to find or write rules to detect those packets... they may exist already and be disabled... i don't know... i had to specifically disable some ICMP rules in my locations to turn off alerts from them but i think they were from a different supplier... you might also want to use the community rules if you are not already... they might have related scan type rules... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------- VFEmail.net - http://www.vfemail.net $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options! ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort suddenly stopped to record events linux (Jul 22)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 23)
- Re: snort suddenly stopped to record events Alex (Jul 24)
- Re: snort suddenly stopped to record events Peter Bates (Jul 24)
- Re: snort suddenly stopped to record events waldo kitty (Jul 24)
- Re: snort suddenly stopped to record events Alex (Jul 26)
- Re: snort suddenly stopped to record events waldo kitty (Jul 26)
- Re: snort suddenly stopped to record events Alex (Jul 29)
- Re: snort suddenly stopped to record events linux (Jul 23)
- Re: snort suddenly stopped to record events waldo kitty (Jul 22)